Skip site navigation (1)Skip section navigation (2) 
Date:      Wed, 18 Apr 2007 14:06:05 -0700
From:      Chuck Swiger <cswiger@mac.com>
To:        Julian Elischer <julian@elischer.org>
Cc:        ipfw@freebsd.org
Subject:   Re: ipfw changes being contemplated..
Message-ID:  <B0E21175-5606-4DAB-9810-BA8F162BE17B@mac.com>
In-Reply-To: <46268689.1080301@elischer.org>
References:  <46268689.1080301@elischer.org>
next in thread | previous in thread | raw e-mail | index | archive | help 
On Apr 18, 2007, at 1:58 PM, Julian Elischer wrote:
> I'm contemplating the following changes to functionality:
> I'd like suggestions and comments...
>
> 1/ Commit capability
>  In this change you declare a new firewall,
>  and modify/build it, and then you 'commit' it so that
>  the whole change is atomic.
[ ... ]
> 5/
> ability to have multiple firewalls.. (extension of (1))
>  ipfw new 1  ipfw rules 1 add ....
>  ....
>  ipfw commit 1 bridge "bridge0"
>
>  different rule sets for different entry points.
>  ethernet layer (Layer2), IP output, bridging,  IP input, different  
> input interfaces?
>
> 6/ corrolory of 5
>   ability for one firewall to call into another..
>   ipfw new 2   ipfw add [IP tests]
>
>
>   ipfw new 1
>   ipfw rules 1 add 1000 check rules 2 mac-type ipv4
>   commit 2 bridge

It seems to me that IPFW2 already has these three capabilities?
 From the manpage:

      Also, each rule belongs to one of 32 different sets , and there  
are ipfw
      commands to atomically manipulate sets, such as enable,  
disable, swap
      sets, move all rules in a set to another one, delete all rules  
in a set.
      These can be useful to install temporary configurations, or to  
test them.
      See Section SETS OF RULES for more information on sets.
[ ... ]
SETS OF RULES
      Each rule belongs to one of 32 different sets , numbered 0 to  
31.  Set 31
      is reserved for the default rule.

      By default, rules are put in set 0, unless you use the set N  
attribute
      when entering a new rule.  Sets can be individually and atomically
      enabled or disabled, so this mechanism permits an easy way to  
store mul-
      tiple configurations of the firewall and quickly (and  
atomically) switch
      between them.  The command to enable/disable sets is
[ ... ]

-- 
-Chuck

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?B0E21175-5606-4DAB-9810-BA8F162BE17B>